|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: vBulletin Security Vulnerability
From: Ferruh Mavituna (ferruh
mavituna.com)
Date: Thu Jan 22 2004 - 23:06:32 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello;
This must be an option or something like that in new vBulletin, After a
small search on Google you can find all "vBulletin v3.0.0 Beta 7" forums.
---------------------------------------------------------------------------
"We can only assume that this vulnerability was found in a site running code
modified from that supplied by Jelsoft."
---------------------------------------------------------------------------
Not "a site", most of them vulnerable. If you provide this customization yes
vBulletin is not vulnerable but "Jelsoft customizations" are vulnerable.
And most of these forums have register.php "Standard / Quick" selection and
"regtype" hidden field.
Almost %80 of your customers are vulnerable.
Ferruh.Mavituna
http://feruh.mavituna.com
PGPKey : http://ferruh.mavituna.com/PGPKey.asc
-----Original Message-----
From: Kier Darby [mailto:kiervbulletin.com]
Sent: Wednesday, January 21, 2004 10:36 PM
To: vuln-devsecurityfocus.com
Subject: Re: vBulletin Security Vulnerability
In-Reply-To: <20040120190824.GA4674natalya.rebby.com>
No patch has been issued for this 'vulnerability' because no vulnerability
exists.
There is no hidden field called "reg_site", nor any $reg_site variable
anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has
it ever existed.
We can only assume that this vulnerability was found in a site running code
modified from that supplied by Jelsoft.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]